GHSA-r2fc-ccr8-96c4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r2fc-ccr8-96c4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-r2fc-ccr8-96c4/GHSA-r2fc-ccr8-96c4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r2fc-ccr8-96c4
- Aliases
- Related
- Published
- 2025-07-03T20:30:18Z
- Modified
- 2025-07-03T21:49:00Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Next.js has a Cache poisoning vulnerability due to omission of the Vary header
- Details
-
Summary
A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-07-03T20:30:18Z", "nvd_published_at": "2025-07-03T21:15:26Z", "cwe_ids": [ "CWE-444" ], "severity": "LOW" }- References
-
- https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4
- https://nvd.nist.gov/vuln/detail/CVE-2025-49005
- https://github.com/vercel/next.js/issues/79346
- https://github.com/vercel/next.js/pull/79939
- https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/releases/tag/v15.3.3
- https://vercel.com/changelog/cve-2025-49005
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next